[Oisf-users] suricata setup with a passive tap
David
david at damnetwork.net
Tue Mar 19 13:28:25 UTC 2013
I have a question I couldn't find in the archives and I'm hoping it's not silly, heh.
I built a passive tap (see below for details) to monitor the traffic coming and going from the internet (cable modem) to my router (Apple Airport Extreme). The tap is setup so that the traffic gets copied to an internal server (batista) where suricata monitors and alerts, strictly being used as an IDS for now. Basically, here's my traffic flow:
Internet -> batista:eth2 -> Airport Extreme
Airport Extreme -> batista:eth1 -> Internet
Suricata HOME_NET:
HOME_NET: "[192.168.0.0/24,xx.xx.xx.xx]" <- xx = my external IP
I have suricata setup to listen on both interfaces on batista:
af-packet:
- interface: eth1
threads: 1
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
- interface: eth2
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
So, my question is: Is this the right kind of setup for suricata to monitor traffic with a passive tap? I have the ET rules setup and working, I get alerts in my log files and everything *seems* good. I just want to make sure I'm using suricata correctly (setup and config) before I start asking my next questions.
passive tap: http://www.yourwarrantyisvoid.com/2011/04/06/homeland-security-build-a-passive-ethernet-tap/
The reason I'm using a passive tap is I don't want my IDS box to be a point of failure. If the server goes down, I want traffic to still flow.
Thanks,
David
"I find your lack of faith disturbing."
--Darth Vader
More information about the Oisf-users
mailing list